Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner

Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”.

Let’s start off with showing the redirection chain:

As you can see from the TCP streams there are a lot of 302 redirects leading to the RIG EK landing page, which is being hosted at 188.225.33.43. This campaign has been known to drop the banking Trojan called Chthonic but this time it appears to have dropped a Miner.

The payload is dropped in %Temp% and copied to/run from C:\Users\User\AppData\Roaming\Microsoft\DirectX:

Callback traffic is found going to 188.209.52.54 via TCP port 21025:

Here is another view:

So, we can see instructions for 185.62.189.10 via TCP port 3333 as well as the wallet address: